Upload
aalfonsop
View
218
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Universidad de Washington
Citation preview
Lecture 1 Building a Risk Management Toolkit
Dr. Barbara Endicott-Popovsky, Dir. CIAC, Dir. MIPM,
Asso. Prof. Seth Shapiro, Sr. VP Kibble and Prentice
Ilanko Subramaniam, Maclear LLC
Dr. Barbara Endicott-Popovsky Department Fellow Aberystwyth University Director Center for Information Assurance and Cybersecurity University of Washington
Academic Director Master of Infrastructure Planning and Management Research Associate Professor University of Washington Information School email: [email protected] Office: Suite 400 RCB Phone: 206-284-6123 Website: http://faculty.washington.edu/endicott
Barbara Endicott-Popovsky, Ph.D., is Director for the Center of Information Assurance and Cybersecurity at the University of Washington, designated by the NSA as a Center for Academic Excellence in Information Assurance Education and Research, Academic Director for the Masters in Infrastructure Planning and Management in the Urban Planning Department of the School of Built Environments and holds an appointment as Research Associate Professor with the Information School. Her academic career follows a 20-year career in industry marked by executive and consulting positions in IT architecture and project management. Her research interests include enterprise-wide information systems security and compliance management, forensic-ready networks, the science of digital forensics and secure coding practices. For her work in the relevance of archival sciences to digital forensics, she is a member of the American Academy of Forensic Scientists. Barbara earned her Ph.D. in Computer Science/Computer Security from the University of Idaho (2007), and holds a Masters of Science in Information Systems Engineering from Seattle Pacific University (1987), a Masters in Business Administration from the University of Washington (1985) and a Bachelor of Arts from the University of Pittsburgh.
IMT552 Course Overview
Course Topics • Introduction, Review of IA, Overview
• Risk Management Theory
• GRC Approaches: COSO, NIST and ISO
• Learning the Language of Risk Management: Alternate Models
• Qualitative and Quantitative Risk Assessment: Root Cause Analysis, Threats, Vulnerabilities
• End-to-end Risk Assessment Approach: Risk ID, Drivers, contributing factors – measuring risk
• Risk Reporting: Communicating with Management
• Communicating Risks, Findings, Compliance
• Risk Intelligence
Key Questions
• What is a risk?
• Why do we need to worry about risk?
• What are the key components of managing risks?
• Can it be measured?
• How much risk is acceptable?
• What is the language of risk management?
Risk Management
• Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative)
• Risks can come from uncertainty in financial markets, project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as deliberate attack from an adversary, or events of uncertain or unpredictable root-cause.
IMT551 Review
Context Evolution
Agricultural Age
Industrial Age
Information Age
Attribute
Agricultural Age
Industrial Age
Information Age
Wealth Land Capital Knowledge
Advancement Conquest Invention Paradigm Shifts
Time Sun/Seasons Factory Whistle
Time Zones
Workplace Farm Capital equipment
Networks
Organization
Structure
Family Corporation Collaborations
Tools Plow Machines Computers
Problem-solving Self Delegation Integration
Knowledge Generalized Specialized Interdisciplinary
Learning Self-taught Classroom Online
Our Love Affair with the Internet
“Baby Boomers Embracing Mobile Technology”
“US Internet Users Embrace Digital Imaging”
“Docs
Embracing
Internet”
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . .
.
.
.
.
.
.
.
.
.
.
.
RESISTANCE IS FUTILE.
PREPARE TO BE ASSIMULATED?
.
.
.
.
.
.
.
. .
.
.
. .
. . .
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
.
Species 8472
Courtesy: K. Bailey/E. Hayden, CISOs
Smashing
Industrial Age
Infrastructure!
Unintended Consequences of Embracing the Internet…..
.
.
.
.
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
.
.
.
. .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. .
.
. 41,000,000 of ‘em out there!
“In the world of networked computers every sociopath is you neighbor.”
Troubling Realities
Dan Geer
Chief Scientist Verdasys
Growing Threat Spectrum
High
Low
1980 1985 1990 1995 2000+
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking
sessions
sweepers
sniffers
packet spoofing
GUI
automated probes/scans
denial of service
www attacks
Tools
Attackers Technical Skills
Intruder
Knowledge
Attack
Sophistication
“stealth” / advanced
scanning techniques
burglaries
network mgmt. diagnostics
distributed
attack tools
Cross site scripting
Staged
attack
Cyber Attack Sophistication Continues To Evolve
bots
Source: CERT 2004
Cybercrime and Money…
• McAfee CEO: “Cybercrime has become a $105B business that now surpasses the value of the illegal drug trade worldwide”
Symantec Internet Security Threat Report
– Threat landscape is more dynamic than ever
– Attackers rapidly adapting new techniques and strategies to circumvent new security measures
– Today’s Threat Landscape.. • Increased professionalism and commercialization of
malicious activities
• Threats tailored for specific regions
• Increasing numbers of multi-staged attacks
• Attackers targeting victims by first exploiting trusted entities
• Convergence of attack methods
“If the Internet were a street, I wouldn’t walk it in daytime…” K. Bailey, CISO UW
• 75% of traffic is malicious
• Unprotected computer infected in < 1 minute
• Organized crime makes more money on the Internet than through drugs
• The ‘take’ from the Internet doubles e-commerce
Courtesy: FBI, LE
What does all this mean to you?….
Mini-survey
• How many have received credit notifications? • Credit card ?
• Banks ?
• How many have been victims of identity theft?
• How many have received phishing emails? • Nigerian scam ?
• Phony bank notices ?
• e-Bay/PayPal ?
• How many have known of someone solicited online?
http://www.engadget.com/2009/04/28/electronic-voting-outlawed-in-ireland-michael-flatley-dvds-okay/
Electronic voting outlawed in Ireland, Michael Flatley DVDs okay for now by Tim Stevens posted Apr 28th 2009 at 7:23AM
Yes, it's another international blow for electronic voting. We've seen the things proven to be insecure, illegal,
and, most recently, unconstitutional. Now the Emerald Isle is taking a similar step, scrapping an e-voting
network that has cost €51 million to develop (about $66 million) in favor of good 'ol paper ballots. With that
crisis averted Irish politicians can get back to what they do best: blaming each other for wasting €51 million
in taxpayer money.
http://bwcentral.org/voting-fraud/
July 31, 2009, 12:34 pm
Student Fined $675,000 in Downloading Case
By Dave Itzkoff
Bizuayehu Tesfaye/Associated Press Joel Tenenbaum was found
liable for copyright violations in a trial in Boston.
Updated | 7:03 p.m. A jury decided Friday that a Boston University student should pay
$675,000 to four record labels for illegally downloading and sharing music, The Associated
Press reported.
A judge ruled that Joel Tenenbaum, 25, who admitted to downloading more than 800 songs from
the Internet between 1999 and 2007 did so in violation of copyright laws and is liable for
damages. Mr. Tenenbaum testified Thursday in federal district court in Boston that he had
downloaded and shared hundreds of songs by artists including Nirvana, Green Day and the
Smashing Pumpkins, and said that he had lied in pretrial depositions when he said that friends or
siblings may have downloaded the songs to his computer. The record labels involved the case
have focused on only 30 of the songs that Mr. Tenenbaum downloaded. Under federal law they
were entitled to $750 to $30,000 per infringement, but the jury could have raised that to as much
as $150,000 per track if it found the infringements were willful. In arguments on Friday, The
A.P. reported, a lawyer for Mr. Tenenbaum urged a jury to “send a message” to the music
industry by awarding only minimal damages.
http://artsbeat.blogs.nytimes.com/2009/07/31/judge-rules-student-is-liable-in-music-download-case/
Majority think outsourcing threatens
network security
Angela Moscaritolo
September 29, 2009
A majority of IT security professionals believe that outsourcing technology jobs to offshore
locations has a negative impact on network security, according to a survey released Tuesday.
In the survey of 350 IT managers and network administrators concerned with computer and
network security at their organizations, 69 percent of respondents said they believe outsourcing
negatively impacts network security, nine percent said it had a positive impact and 22 said it
had no impact.
The survey, conducted this month by Amplitude Research and commissioned by VanDyke
Software, a provider of secure file transfer solutions, found that 29 percent of respondents'
employers outsource technology jobs to India, China and other locations.
Of those respondents whose companies outsource technology jobs, half said that they believe
doing so has had a negative impact on network security.
Sixty-one percent of respondents whose companies outsource technology jobs also said their
organization experienced an unauthorized intrusion. In contrast, just 35 percent of those whose
company does not outsource did. However, the survey noted that organizations that do
outsource were “significantly” more likely than those that do not to report intrusions.
“We're not going to say we have any proven cause and effect,” Steve Birnkrant, CEO of
Amplitude Research, told SCMagazineUS.com on Tuesday. “Correlation doesn't prove
causation, but it's definitely intriguing that the companies that outsource jobs offshore are more
likely to report unauthorized intrusions.”
In a separate survey released last December from Lumension Security and the Ponemon
Institute, IT security professionals said that outsourcing would be the biggest cybersecurity
threat of 2009.
In light if the recession, companies are outsourcing to reduce costs, but the practice opens
organizations up to the threat of sensitive or confidential information not being properly
protected, and unauthorized parties gaining access to private files, the survey concluded.
In contrast to their overall views about the impact that outsourcing has on network security,
Amplitude/VanDyke Software survey respondents were largely positive about the impact of
outside security audits. Seventy-two percent of respondents whose companies paid for outside
audits said they were worthwhile investments and 54 percent said they resulted in the discovery
of significant security problems.
http://www.scmagazineus.com/Majority-think-outsourcing-threatens-network-security/article/150955/
Connecticut drops felony charges against Julie Amero, four years after her arrest By Rick Green on November 21, 2008 5:16 PM |
The unbelievable story of Julie Amero concluded quietly Friday afternoon at Superior Court in Norwich, with the state of Connecticut dropping four felony pornography charges.
Amero agreed to plead guilty to a single charge of disorderly conduct, a misdemeanor. Amero, who has been hospitalized and suffers from declining health, also surrendered her teaching license.
"Oh honey, it's over. I feel wonderful," Amero, 41, said a few minutes after accepting the deal where she also had to surrender her teaching license. "The Norwich police made a mistake. It was proven. That makes me feel like I'm on top of the world."
In June of 2007, Judge Hillary B. Strackbein tossed out Amero's conviction on charges that she intentionally caused
a stream of "pop-up" pornography on the computer in her classroom and allowed students to view it. Confronted with evidence compiled by forensic computer experts, Strackbein ordered a new trial, saying the conviction was based on "erroneous" and "false information."
But since that dramatic reversal, local officials, police and state prosecutors were unwilling to admit that a mistake may have been made -- even after computer experts from around the country demonstrated that Amero's computer had been infected by "spyware."
New London County State's Attorney Michael Regan told me late Friday the state remained convinced Amero was guilty and was prepared to again go to trial.
"I have no regrets. Things took a course that was unplanned. Unfortunately the computer wasn't examined properly by the Norwich police," Regan said.
"For some reason this case caught the media's attention,'' Regan said.
The case also caught the attention of computer security experts from California to Florida, who read about Amero's conviction on Internet news sites. Recognizing the classic signs of a computer infected by malicious adware, volunteers examined computer records and the hard drive and determined that Amero was not responsible for the pornographic stream on her computer.
The state never conducted a forensic examination of the hard drive and instead relied on the expertise of a Norwich detective, with limited computer experience. Experts working for Amero ridiculed the state's evidence, saying it was a classic case of spyware seizing control of the computer. Other experts also said that Amero's response -- she failed to turn off the computer -- was not unusual in cases like this.
Among other things, the security experts found that the Norwich school system had failed to properly update software that would have blocked the pornography in the first place.
http://blogs.courant.com/rick_green/2008/11/connecticut-drops-felony-charg.html
Interdependence of Critical
Infrastructure
A Metaphor…..
Information Assurance
How do we stay safe online?
The CIA of IA
Confidentiality Integrity
Availability
ƒ(context, needs, customs, laws)
Security Design
Threats Vulnerabilities
Controls
(Threats + Vulnerabilities Controls)
The Castle Approach: Defense in Depth
Protect your data
• Perimeter defense: firewalls
• Layered defense: AV, IDS, IPS
• However, these aren’t working!
Organizational Information Assurance
• No BOK for IA/IS
• CISO : ISRM as CEO : MBA
• Curriculum Framework
Trusting Controls
Assumes:
• Design implements your goals
• Sum total of controls implement all goals
• Implementation is correct
• Installation/administration are correct
Bottom line assumption:
You Will Never Own a Perfectly
Secure System!!!
You Will Never Own a Perfectly
Secure System!!!
You Will Never Own a Perfectly
Secure System!!!
Costs:
• Solution
• Value
• Potential losses
Risks:
• Likelihood
• Potential impacts
Balance Risk vs. Cost
We Need
To Manage Risk
Risk is like a fire: If controlled it will help you; if uncontrolled it will rise up and
destroy you.” Theodore Roosevelt
“The purpose of risk management is to change the future, not to explain the
past” “The Book of Risk”, Dan Borge
Everyone has an opinion….
General Approach • identify, characterize, and assess threats
• assess the vulnerability of critical assets
• determine the risk (i.e. expected consequences of specific types of attacks on specific assets)
• identify ways to reduce those risks
• prioritize risk reduction measures
Definitions and Terms Risk (n) • Undesirable effect of uncertainty on achieving business objectives
Risk (v) • To put something in a state where it may encounter undesirable effects on
achieving objectives due to uncertainty.
Risk Management System or Framework • A system that addresses risk and reward
Risk Management Process • Process that establishes context and communicates with stakeholders
about, risk management; and identifies, analyzes, prioritizes, treats, and monitors while addressing reward.
Winter 2011 Certificate for Information Assurance and
Cybersecurity 52
ISO 31000 Risk Assessment Process
Many models…this is just one…
1) Risk Identification (RI)
Identify events and factors that may affect the achievement of business
objectives, including those arise from noncompliance with requirements
established by law, standards, internal policies or other mandatory or
voluntary boundaries.
Common practices and failures
Common approach • Keep an eye on the ball • Listen and look through the organization • Categorize risks into logical buckets • Look from all angles
Common sources of failures • Failing to consider all risk factors • Missing key aspects in analysis
2) Risk Analysis (RA)
Define the current risk profile by analyzing the inherent and
residual risk after considering current risk management
activities
Common practices and failures
Approach • Analyze risks from bottom-up and top-down • Establish clear criteria for acceptability of risk • Document and share securely • Remember consistent measurement of inherent and
residual risks
Sources of failures • Being consistent • Considering only one view • Using limited methods • Assessing risks after controls
3) Risk Management (RM)
Evaluate and implement selected risk management action options
Common practices and failures
Common approach • Evaluate risk optimization tactics and activities • Determine planned residual risks • Determine optimizing activities • Develop key risk indicators • Develop risk optimization plan
Common sources of failures • Lack of adequate prioritization • Not enough monitoring • Scope of solution is inadequate • No accountability • Lack of funding • Failing to consider human factors
Established Governance and Risk Management methodologies provide a foundation for building RM Programs
60
COSO
Enterprise Risk Management Control Objectives for Information and
related Technology
Companies often adopt a hybrid
McCumber cube - evaluating information
assurance programs
Guiding Principles
• create value the gain should exceed the pain • be an integral part of organizational processes
• be part of decision making
• explicitly address uncertainty and assumptions
• be systematic and structured
• be based on the best available information
• be tailorable
• take into account human factors
• be transparent and inclusive
• be dynamic, iterative and responsive to change
• be capable of continual improvement and enhancement
• be continually or periodically re-assessed
62
better
understood
Ideal assessment
method should
be…
ERM
Top-down / bottom-up
assessments
Example: ISO 31010-based risk
assessment methodology and process
flexible agile standard extendable optimal for quarterly updates efficient
63
Phase 1: Scoping and Planning
Sets expectations and domain environmental
external and internal context
ExRA Scoping
document
Assessment goals
Scope
Expectations
Accountabilities
Risk Advisory Council
Business and TwC
domain SMEs
Communication
External Context
Regulatory changes and
outreach activities
Competitive moves
External incidents
Customer/ partner SAT
Domain objectives
Internal Context
Org changes
Domain objectives
Business plans, strategies, etc
Compliance tools changes
Vendors and dependencies
changes
Quarterly assessment: What’s changed?
64
Phase 2: Risk Identification
Risk identification through evidence and
collaboration
BG and TwC SME
brainstorm
New risk scenarios
Risks
Privacy risk scenario example 1:
Organized hackers (actor) exploiting weaknesses
in external infrastructure (asset) stealing
customer private information (asset), publicly
exposing it and repeating (timing) the process
humiliating the Company. (Sony PSP April 2011
hack scenario)
Accessibility risk scenario example 2:
US Congress expands ADA to cover all
online interactions, thus forcing Microsoft
to retrofit all of its products and services
within 36 months to meet the bar.
65
Measure risk likelihood and consequence
to the Company
Phase 3: Risk Analysis
Risk Impact?
• Objective
failure?
• New
circumstances?
• Compound
effect?
• Worst case?
• Historical
data?
Drivers
• Financial
• Operational
• Strategic
• Ethical
• Reputation
• Technological
• Legal/Regulatory
• Human Capital
Likelihood?
• Happened to
us or
competitors?
• Predictive
techniques
possible?
• Expert
judgment
Controls?
• New/changed
/planned
controls?
• Evidence of
effectiveness
and
efficiency?
1
3
5
6
2
4
1
2
3
4
5
6
Fo
cus
66
Phase 4: Risk Evaluation
Recommend mitigations
1
3
5
6
2
4
Fo
cus 1 2 3 4 5
Your risk today
Your risk target This much you have to do
Strategy changes?
New tactics?
Alignment with other groups?
Feasibility of change?
Cost/benefit?
Low hanging fruit?
Dependencies?
Accountabilities?
Options, always options
67
Phase 5: Risk Treatment
Select AND implement recommendations
Sp
eci
fic
mit
igati
on
s
Mitigations tracked how they
affect the risks
68
Monitoring and Review Events, data and capabilities drive
periodic assessments
Assessment of
mitigations /
controls
effectiveness
and events /
changes in
environment
factored
Course
correction
or JOB
DONE!
69
Persistent process throughout
risk management lifecycle
BG-specific reporting 70
Communication
& Consultation
Example of E2E Process
Basic Risk
Payload
TwC Risk
Report
QBR Risk
Scorecards
ERM Board
Reports
Strategy
Planning
Docs
ERM
Annual
Assessment
Enterprise
Risk
Assessment
Policy
Updates
Micro-level risk
assessments
(FRA, CRA,
Trust-X, SRA..)
Controls –
training stats,
compliance,
incident data
Data from the
BGs
(assessment,
strategy,
incidents
Quarterly Bi-Annual Annual
External and
environmental
data
Inform BGs
PAGO SME
input
BG
stakeholder
input
Questions?